We will collect, use, store and disclose Personal Information in accordance with the following privacy principles:
1. Accountability
The overall responsibility for ensuring our compliance with data privacy laws and this privacy policy rests with the Chief Compliance Officer, who is our Privacy Officer, although other individuals within Otter have responsibility for the day-to-day collection and processing of Personal Information and may be delegated to act on behalf of the Privacy Officer. We are responsible for Personal Information in our possession or custody, including Personal Information that we may transfer to third parties for processing. We will require our service providers to agree to contractual requirements that are consistent with our privacy and security policies. We will require that our service providers are prohibited from using Personal Information, except for the specific purpose for which we supply it to them.
2. Identifying Purposes
Either before or at the time of collection, we will identify the purposes for which we plan to use the Personal Information. Depending upon the way in which the Personal Information is collected, this can be done orally or in writing. The primary source of the Personal Information we collect is from our Customers and prospective Customers. We may also collect information from the following sources:
- Publicly available sources of information, such as the Internet, newspapers and magazines;
- Third-party sources, such as credit bureaus, suppliers and business partners;
- Referral sources; and
- Application Programming Interface (API) with third parties, and screen scraping of bank account information and website cookies.
Otter may use the information we collect for the following purposes:
- to supply Services to our Customers;
- to provide Customers with access to Otter Services;
- to respond to Customer inquiries about accounts and other services;
- to understand our Customers and prospective Customers' needs and to offer Services to meet those needs;
- to conduct credit checks on Customers or prospective Customers; and
- to meet legal requirements.
Unless required by law, we will not use Personal Information for a new purpose without the knowledge and consent of the individual to whom the information relates.
3. Consent
Personal information will only be collected, used or disclosed with the consent of the individual, except where otherwise permitted or required by law. The way in which we seek consent may vary depending upon the sensitivity of the information sought. We will obtain consent in all cases where the Personal Information involved is considered sensitive, such as income or health information.
Typically, we will seek consent for the use or disclosure of Personal Information at the time of collection. However, additional consent will be sought after the Personal Information has been collected if the Personal Information is required for a new purpose. At all times we seek consent, we will provide you with access to our Privacy Policy.
In certain circumstances, obtaining consent may be inappropriate. The federal Personal Information Protection and Electronic Documents Act and provincial privacy laws provide for exceptions where it is impossible or impractical to obtain consent. We will comply with the applicable legal requirements in all cases.
4. Limiting Collection
We will collect Personal Information by fair and lawful means and will limit the amount and type of Personal Information we collect to that which is necessary for our identified purposes. We will collect Personal Information to provide to our banking services, accounting services, legal services, and other related business services through our Platform and Mobile App. The Personal Information we collect may include, but is not limited to, the following:
- Contact information (such as name, address, email address, birthdate and phone number)
- Financial information (such as bank account details and transaction history)
- Business information (such as company name, business address, business identification numbers, type of entity, articles of incorporation and constating documents)
- Identification information (such as government-issued identification documents and Social Insurance Number)
- Employment information (such as employment history and job title)
For our business customers, we may also collect business information, such as company name, business address, business identification numbers, type of entity, articles of incorporation and constating documents.
5. Limiting Use, Disclosure and Retention
We will not use or disclose Personal Information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. We use Personal Information for the following purposes:
- To verify and authenticate Customer identities
- To process transactions and provide requested services
- To communicate with Customer regarding their business operations, accounts, transactions, and inquiries
- To comply with legal and regulatory requirements
- To improve our services and tailor them to Customer needs, including through use of cookies on our Platform
- To conduct internal research and analysis
- To complete vendor information security assessments for PCI-DSS certification and Soc 2 Type II compliance.
We may disclose Personal Information to the following third parties, and will do so strictly on a need-to-know basis and in compliance with applicable privacy laws:
- Financial partners and institutions involved in providing banking services
- Professional advisors, such as accountants and lawyers, assisting us in delivering accounting and legal services
- Lawyers and law firms, to whom we provide referrals
- Government authorities or regulators as required by law or for the purpose of compliance
- Suppliers and third-party service providers engaged by us to perform functions on our behalf, such as data hosting, natural language processing and data analysis, Customer support, and payment processing.
At any time, you may withdraw consent to the use or disclosure of Personal Information for any of the purposes described above. You may withdraw your consent through the preference tools we provide on our Platform or by contacting our Privacy Officer. Please note that if you withdraw consent to certain uses of Personal Information, we may no longer be able to provide you with our services.
We will retain Personal Information for as long as it is necessary to fulfill the purposes for which it was collected and as required by applicable laws. Otter uses cloud hosting services based in Canada and the United States to store all Personal Information. All data transmission over the public internet will occur over TLS-encrypted connections. All data is encrypted at rest using AES-256 encryption.
Upon an employee's resignation, retirement, or termination of employment, the employee's Personal Information will be destroyed in a secure manner and in accordance with applicable privacy legislation.
Subject to any applicable business, legal, or regulatory requirements, we will ensure that the data is destroyed in a secure manner, erased, or made anonymous.
6. Accuracy
We will use our best efforts to ensure that Personal Information that is used on an ongoing basis and information that is used to make a decision about an individual is as accurate, complete, and up-to-date as necessary for the purpose for which it is to be used.
7. Safeguards
We will protect Personal Information with safeguards appropriate to the level of sensitivity of the information. Our safeguards protect Personal Information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification, regardless of the format in which the information is held. We will exercise care in the disposal or destruction of Personal Information to prevent unauthorized parties from gaining access to the information. Our methods of protection include physical measures (e.g., locked file storage and restricted access to offices), organizational measures (e.g., security clearances and limiting access on a need-to-know basis), and technological measures (e.g., the use of passwords and encryption). We also require third parties and service providers to provide a comparable level of protection to Personal Information that we may supply to them.
8. Individual Access
Upon written request, we will inform an individual of the existence, use, and disclosure of his/her Personal Information and give him/her reasonable access to that information. We may deny access for legally permissible reasons (such as situations where the information is prohibitively costly to provide), if it contains references to other individuals, or where it cannot be disclosed for legal, security, or commercial proprietary reasons. We will advise the individual of any reason for denying an access request.When an individual successfully demonstrates the inaccuracy or incompleteness of Personal Information held by us, we will correct or update the information as required.
9. Filing Inquiries and Complaints
We will investigate all written complaints and respond to all written inquiries. If we find a complaint to be justified, we will take appropriate measures to resolve it.
